[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Basic VPN to Cisco ASA without authentication

Posted on 2009-05-06
4
Medium Priority
?
1,342 Views
Last Modified: 2012-05-06
Could anyone help me? I'm vaguely familiar (but certainly no expert) with the PIX, but this is my first ASA, and it's giving me grief! I've got most of it working, but I'm stuck on the VPN. We use VPN to PIX to access small sites without further authentication -- just group name and password and connect. (I know it's not good for security, but for what we do it works well, and often we have no other option anyway.)
Anyway, I can't get it to work on the ASA, but could really do with it, urgently!
Below are what I think are the relevant code fragments...
Could anyone please point me in the right direction... Please don't say it isn't possible any more!!
Thanks.
PIX code that seems to do the trick; comments in brackets are the bits the ASA turned its nose up at:-:
 
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
 
vpngroup lestac address-pool vpnpool (vpngroup depricated)
vpngroup lestac password secret (ditto)
vpngroup lestac dns-server yserver1 (ditto)
vpngroup lestac wins-server yserver1 (ditto)
vpngroup lestac default-domain harlow (ditto)
vpngroup lestac idle-time 1800 (ditto)
 
ASA "bits" I tried to use to replace the "depricated" PIX bits to get the same effect:-
tunnel-group lestac type ipsec-ra
tunnel-group lestac general-attributes
address-pool vpnpool
tunnel-group lestac ipsec-attributes
pre-shared-key secret
default-group-policy lestac
group-policy lestac attribues
wins-server value 192.168.60.10
dns-server value 192.168.60.10
default-domain value harlow.local
vpn-idle-timeout 1800
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec

Open in new window

0
Comment
Question by:seworby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 24319983
For an ASA remote access VPN, you need pieces, three of which can be named the same: a group-policy, a tunnel-group, and a username. Here's a very basic example for vendor access:

# Create an ACL for vendor access to any destination
access-list vendor_acl extended permit ip any any

# Create a group policy
group-policy vendor internal

# Define the acl this policy will use
group-policy vendor attributes
  vpn-filter value vendor_acl

# Create the user
username vendor password *****

# Define the group policy and acl to control this user
username vendor attributes
  vpn-group-policy vendor
  vpn-filter value vendor_acl

# Define a tunnel group - type for remote access is 'ipsec-ra'
tunnel-group vendor type ipsec-ra

# Define the group characteristics
tunnel-group vendor general-attributes
  default-group-policy vendor

# Define the group password
tunnel-group vendor ipsec-attributes
  pre-shared-key *****

There are lots of other keywords you can include; for example, you can add 'vpn-idle-timeout 15' to the group-policy section and have the VPN logout after 15 minutes of idle time, you can add 'vpn-framed-ip-address 192.168.1.10 255.255.255.0' under the username attributes to assign an IP address to that user, and so on. But this framework will get you started... for more info, check out this link:

http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/sitesite.html


0
 
LVL 10

Expert Comment

by:stsonline
ID: 24319997
Sorry about the typo... the first line should read "you need four pieces..."  - the three names and an ACL.
0
 

Author Comment

by:seworby
ID: 24322642
Thanks for your help on this. As you can see from my code, I've got most of this in place. I've got the access_list bits in place, too, but didn't quote them because it's just not getting that far. I can't get past the Cisco client asking for username and password. The only bit I haven't got is the vpn_filter value bit, but I don't think it's going to be that causing my problem?
Having spent some time reading up last night, I'm wondering if it's my AAA I've got wrong. I'll have access to the ASA in a couple of hours and I'll take another look.
I'll let you know how I get on.
Thanks
0
 

Accepted Solution

by:
seworby earned 0 total points
ID: 24325599
I have it working. Whether it's the right way or not is a different matter...
The key to it is to set up a user so it has a user in the database to allow the secondary authentication to authenticate against. It seems this isn't neceesary on the PIX but is on the ASA.
The vpn_filter value turned out in the end to be a bit of a red herring, as having it on prevent traffic from passing once connected.
---
username xzy password xyz123 privilege 2

Thanks
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question